Customizing the Windows Preinstallation Environment for PGP Whole Disk Encryption

Technical Note

Released July 2008.

Copyright Information
Copyright 19912008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgments
This product includes or may include: The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright 2007 by the Open Source Initiative. bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, 1996-2005. Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. 1997-2006. The license agreement is at http://www.pcre.org/license.txt. BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) Free BSD implementation of daemon developed by The FreeBSD Project, 1994-2006. Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University 1989, 1991, 1992, Networks Associates Technology, Inc, 2001- 2003, Cambridge Broadband Ltd. 2001- 2003, Sun Microsystems, Inc., 2003, Sparta, Inc, 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright 1993, 1994 by Paul Vixie; used by permission. JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright 2006 The JacORB Project. TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright 2000-2003 Free Software Foundation, Inc. gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. Windows Template Library (WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. The Perl Kit provides several independent

Introduction to the Preinstallation Environment

utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Contents
Introduction to the Preinstallation Environment
Supported Versions of Windows PE How to Obtain Windows PE Customizable Windows PE Types

1
2 2 3

Creating a Windows PE CD
Customizing Windows PE 1.x Customizing Windows PE 2.0 Using the Customized Windows PE CD/UFD to Obtain the Authentication Passphrase

5
5 6 8

Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to Windows Vista
Creating a Customized Installation Package Installing the Microsoft Windows AIK drivers Copying the Windows Vista Installation DVD Copying the PGP Desktop and Windows PE Tool Files Adding the Driver to the Installation Package Upgrading with the Customized Installation Package

9
9 10 10 10 11 11

Using PGP Whole Disk Encryption

Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console

13
13 14

Pgppe Commands
Files in the pgppe Tool The pgppe Command Line Format /Option [Parameter List]:

17
17 18 18

Using BartPE
Customizing the BartPE or BartPE-based Tools Decrypting a Disk Using BartPE

21
21 22

Introduction to the Preinstallation Environment

The Microsoft Windows Preinstallation Environment (PE) is widely used by IT professionals in Windows environments for installation tasks, deployment, maintenance, troubleshooting, diagnosis, recovery, and so on. For example, use Windows PE to: Integrate PGP WDE recovery with your existing IT recovery tools Create secure PE-based backup and recovery Upgrade a PGP WDE-encrypted system from Windows XP to Windows Vista Windows PE will not work in situations where the PGP Whole Disk Encryption (PGP WDE) is installed on a system and the entire disk is encrypted. For Windows PE to work on a system where PGP Whole Disk Encryption is installed, the PGP WDE driver must be pre-installed and the administrator must have authorized access to the hard disk. You must have PGP Desktop for Windows version 9.7 or later installed in order to use Windows PE or BartPE. Note: This document provides instructions for creating a 32-bit Windows Preinstallation Environment. While you can use the 32-bit Windows PE disk on a 64-bit system, you cannot create a 64-bit Windows PE disk. You can add the PGP WDE drivers in two ways so you can authenticate and perform recovery tasks on computers with PGP WDE encrypted disks: To the system image, to be able to select the PE option at boot. To the CD/DVD/USB bootable recovery tool, to boot a PGP WDE-encrypted computer. There are two issues to be resolved here: 1 2 Pre-install the PGP WDE driver into Windows PE. Authenticate the passphrase that is entered via the command line and provide access to the encrypted disk.

You can also customize the Windows Vista Installation Package to upgrade computers encrypted with PGP Whole Disk Encryption. Note: To authenticate users using Windows PE or BartPE, you must use passphrase users. Token or TPM users are not supported.

Introduction to the Preinstallation Environment

See the command line description in Using the Customized Windows PE CD/UF (see "Using the Customized Windows PE CD/UFD to Obtain the Authentication Passphrase" on page 8)D. For information on using BartPE, see Using BartPE (on page 21).

In This Chapter
Supported Versions of Windows PE ..........................................................2 How to Obtain Windows PE ......................................................................2

Supported Versions of Windows PE

Currently, the following versions of Windows PE are supported: Windows XP: Windows PE version 1.0 Windows XP Service Pack 1 (SP1): Windows PE version 1.1 Windows Server 2003: Windows PE version 1.2 Windows XP Service Pack 2 (SP2): Windows PE Version 2004 Windows Server 2003 Service Pack 1 (SP2): Windows PE version 2005 (1.6) Windows Vista: Windows PE version 2.0 The structure of Windows PE versions prior to versions 2.0 is somewhat similar. In this document, for simplification purposes, versions earlier than Windows PE 2.0 are referred to as Windows PE 1.x. Keep in mind that: The structure of Windows PE 2.0 is quite different from the Windows PE 1.x. The files for Windows PE are contained in a Windows Image file (.wim). To customize Windows PE 2.0 ,the tools or API for Windows Image Format is required. These can be found in Windows Automated Installation Kit (AIK).

How to Obtain Windows PE

To use Windows PE, you need Windows PE (from Microsoft) and the PGP Whole Disk Encryption drivers and tools

Introduction to the Preinstallation Environment

To obtain the PGP WDE drivers and tools, see the PGP Support Knowledgebase Article 807 (https://support.pgp.com/?faq=807). Also included in this KB article is a technical note you can download that contains all of the instructions in this section. You can obtain Windows PE from: Windows OEM Preinstallation Kit (OPK) the package is available from Universal MSDN and MSFT partners. Windows Automated Installation Kit (http://www.microsoft.com/downloads/details.aspx?familyid=c7d4bc6d15f3-4284-9123-679830d629f2&displaylang=en) (Windows (AIK).(Windows PE 2.0) For more information about Windows PE and Windows Image Format, see: http://www.microsoft.com/whdc/system/winpreinst/default.mspx (http://www.microsoft.com/whdc/system/winpreinst/default.mspx) http://technet2.microsoft.com/WindowsVista/en/library/129a1712-e3d846c1-bc09-a14349dc67db1033.mspx?mfr=true (http://technet2.microsoft.com/WindowsVista/en/library/129a1712-e3d846c1-bc09-a14349dc67db1033.mspx?mfr=true) Windows Preinstallation Kit Users Guide (http://technet.microsoft.com/enus/windowsvista/aa905070.aspx) that is included with OPK/Windows Windows Automated Installation Kit (AIK)

Customizable Windows PE Types

The following types of Windows PE can be customized: A Windows PE prepared for customization. You can create a Windows PE in a Windows folder and prepare it for customization. To do so, follow the instructions in Windows Pre-installation Kit Users Guide. A Windows PE installed on a hard disk. You can customize the Windows PE that is installed on a hard disk partition or a folder such as a hard disk with diagnostic or recovery capabilities.

Creating a Windows PE CD
Creating a customized Windows PE CD/UFD (USB Flash Drive) provides a bootable recovery tool that can be used for rescue purposes. For example, you can use the DOS commands to copy, edit, backup and delete files. To create a bootable Windows PE CD/UFD (USB Flash Drive) with PGP WDE driver and Tools pre-installed To boot from a CD/UFD, you do not need access to the encrypted hard disk. However, you must do the following: pre-install the PGP WDE driver for decrypting the hard disk. pre-install the PGP WDE tools for authentication.

In This Chapter
Customizing Windows PE 1.x ................................................................... 5 Customizing Windows PE 2.0 ................................................................... 6 Using the Customized Windows PE CD/UFD to Obtain the Authentication Passphrase ................................................................................................ 8

Customizing Windows PE 1.x

Ensure that the Windows PE 1.x is located in the c: drive in the folder c:\wimpe_x86, and is ready for customization. Note: Follow the instructions provided in the Windows Preinstallation Environment Users Guide to prepare a drive or folder for customization. The Windows PE Users Guide is included with the Windows OEM Preinstallation Kit (OPK). To customize Windows PE 1.x, you must: Install the PGP WDE Tools Create the bootable ISO file or CD To install the PGP WDE Tools 1 Copy the following files into the Windows folder c:\wde.

Creating a Windows PE CD

These files are either provided in the a zip file or a disc, or they can be copied from the PGP WDE installation directory (from a system that has PGP Desktop installed). C:\Program Files\PGP Corporation\PGP Desktop\pgpbootb.bin C:\Program Files\PGP Corporation\PGP Desktop\pgpbootg.bin %SYSTEMROOT%\system32\PGPsdk.dll %SYSTEMROOT%\system32\pgpsdknl.dll %SYSTEMROOT%\system32\PGPwd.dll C:\Program Files\PGP Corporation\PGP Desktop\PGPwde.exe %SYSTEMROOT%\system32\drivers\PGPwded.sys C:\Program Files\PGP Corporation\PGP Desktop\Stage1 2 Run the command: Pgppe /winpe c:\wimpe_x86 c:\wde To create the bootable .iso file or CD The next step is to make the customized winpe into a bootable .iso file and CD/UFD. Use the tool oscdimg.exe that is included with the OPK to create an .iso file as follows: Oscdimg bc:\build_x86\etfsboot.com n c:\winpe_x86 c:\winpex86.iso Use the CD-record software to burn the CD image file of winpex86.iso.

Customizing Windows PE 2.0

Ensure that the Windows PE 2.0 is already in the Windows folder c:\winpe_x86, and is ready for customization. Note: Follow the instructions provided in the Windows Preinstallation Environment Users Guide to prepare a drive or folder for customization. The Windows PE Users Guide is included with the Windows Automated Installation Kit (AIK). To customize Windows PE 2.0, you must: Install the PGP WDE Tools Create the bootable ISO file or CD

Creating a Windows PE CD

To install the PGP WDE Tools 1 Copy the following files into the Windows folder c:\wde. These files are either provided in the a zip file or a disc, or they can be copied from the PGP WDE installation directory (from a system that has PGP Desktop installed). C:\Program Files\PGP Corporation\PGP Desktop\pgpbootb.bin C:\Program Files\PGP Corporation\PGP Desktop\pgpbootg.bin %SYSTEMROOT%\system32\PGPsdk.dll %SYSTEMROOT%\system32\pgpsdknl.dll %SYSTEMROOT%\system32\PGPwd.dll C:\Program Files\PGP Corporation\PGP Desktop\PGPwde.exe %SYSTEMROOT%\system32\drivers\PGPwded.sys C:\Program Files\PGP Corporation\PGP Desktop\Stage1 2 Run the command: Pgppe /winpe c:\wimpe_x86 c:\wde 3 Copy the file c:\winpe_x86\winpe.wim to c:\winpe_x86\ISO\source\boot.wim and overwrite the old boot.wim file. To create the bootable .iso file or CD The next step is to make the customized winpe as a bootable .iso file and CD/UFD. Use the file oscdimg.exe that is included with the OPK/AIK to create an .iso file: Oscdimg n bc:\build_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso. Use the CD-record software to burn the CD image file of winpex86.iso file.

Creating a bootable UFD

Use the file diskpart.exe in Windows to format the UFD. The following sample commands assume that disk 1 is the UFD: diskpart select disk 1 clean create a partition primary
7

Creating a Windows PE CD

select partition 1 active format fs=fat32 assign exit Copy all the files under c:\winpe_x86\ISO onto the UFD device. The following sample assumes that f: is the UFD device. xcopy c:\winpe_x86\iso\*.* /s /e f:\

Using the Customized Windows PE CD/UFD to Obtain the Authentication Passphrase

In this step, you have to enter the passphrase for authentication, and if it is successful, you will be able to access the encrypted hard disk. 1 2 Boot from the customized Windows PE CD/UFD. From the DOS console, use the pgpwde command line. For example: Pgpwde --enum Pgpwde --disk 0 --status Pgpwde --disk 0 --auth -p xxxx

Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to Windows Vista
Before you upgrade an encrypted computer to Windows Vista, the PGP Whole Disk Encryption driver must be preinstalled on the Windows PE and Vista installation package. Without this step, the upgrade will fail. After customizing the installation package, you can upgrade a disk encrypted with PGP Whole Disk Encryption to Windows Vista in two ways: From a network shared folder containing the upgrade By using a customized Vista installation DVD. You must have access to the encrypted hard disk for upgrade.

In This Chapter
Creating a Customized Installation Package ..............................................9 Upgrading with the Customized Installation Package..............................11

Creating a Customized Installation Package

Follow these steps to create s customized installation package: 1 2 3 4 Install the necessary drivers from the Microsoft Windows Automated Installation Kit (AIK). Copy the Windows Vista Installation DVD to your desktop. Copy the PGP Desktop files and PGP Corporation Windows PE tools to your desktop. Add the driver to the installation package.

Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to Windows Vista

Installing the Microsoft Windows AIK drivers

1 2 3 4 Download the Microsoft Windows AIK from the Microsoft website. From the Windows AIK installation directory, locate the wimfltr.sys and wimfltr.inf files for your platform. Copy the platform-appropriate wimfltr.sys and wimfltr.inf to a new folder. Select and install the file winfltr.inf to install the drivers.

Copying the Windows Vista Installation DVD

Copy the entire contents of the Windows Vista Installation DVD into a new folder on your desktop. Name the folder c:\vista.

Copying the PGP Desktop and Windows PE Tool Files

1 Download the Windows PE tool from the PGP Corporation website. To obtain the drivers and tools, see the PGP Support Knowledgebase Article 807 (https://support.pgp.com/?faq=807). Also included in this KB article is a technical note you can download that contains all of the instructions in this section. Extract the contents of the PGP Windows PE package to a new folder on your desktop. Name the folder c:\WDE_PE. The files pgppe.exe and pgpstart.exe are saved to the folder. Create a subfolder in your c:\WDE_PE folder called c:\WDE_PE\pe. Locate a computer with PGP Desktop installed. From that computer, copy the following files to the folder on your computer called c:\WDE_PE\pe. c:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe c:\Program Files\PGP Corporation\PGP Desktop\pgpbootb.bin c:\Program Files\PGP Corporation\PGP Desktop\pgpbootg.bin c:\Program Files\PGP Corporation\PGP Desktop\Stage1 c:\Windows\System32\PGPwd.dll c:\Windows\System32\PGPsdk.dll c:\Windows\System32\PGPsdkNL.dll c:\Windows\System32\Drivers\pgpwded.sys
10

2 3 4 5

Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to Windows Vista

Adding the Driver to the Installation Package

To customize the installation package, run the following command in the c:\WDE_PE\pe directory. pgppe.exe /vista c:\vista The driver is added to the installation package.

Upgrading with the Customized Installation Package

Start the upgrade from the computers operating system. You cannot upgrade the system if you boot the computer from the Vista DVD. There are two ways to upgrade an encrypted hard disk using the customized installation package: Upgrade to Vista from a network shared folder: 1 2 3 Place the folder containing the customized installation (for example, c:\vista ) onto a shared network. From the Windows XP computer to be upgraded, navigate to the shared folder. Start setup.exe to upgrade.

Upgrade to Vista from a DVD: 1 To create a DVD installation package, run the following command in the directory c:\Program Files\Windows AIK\Tools\PETools. oscdimg.exe -n -m -bx86\boot\etfsboot.com c:\Vista C:\WDE_Vista.iso Burn the file c:\WDE_Vista.iso to a DVD. Insert the DVD into the Windows XP computer to be upgraded. The installation starts automatically. Select the option to install Windows Vista. Select the option to upgrade the computer. Continue the upgrade by following the installation process screens.

2 3 4 5 6 7

Note: During the upgrade, Windows will reboot the machine several times. When the boot guard appears, type in the passphrase and the Windows upgrade process will continue. Do not select the reboot option.

11

Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to Windows Vista

12

Using PGP Whole Disk Encryption

This section describes how to use PGP Whole Disk Encryption with the IBM Lenovo Rescue and Recovery feature, as well as with the Windows XP Recovery Console. Note: To authenticate users using Windows PE or BartPE, you must use passphrase users. Token or TPM users are not supported.

In This Chapter
Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems13 Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console.................................................................................... 14

Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems
Use the Windows Preinstallation Environment (PE) to pre-install the PGP WDE driver into IBM Lenovo ThinkPad Rescue and Recovery and automatically detect the Lenovo Rescue and Recovery feature. This option is available only for IBM Lenovo systems running Rescue and Recovery version 3.0 and later. This option pre-installs the PGP WDE driver into Lenovo Rescue and Recovery and automatically detects the Lenovo Rescue and Recovery support. It picks up the PGP WDE driver from the \windows\system32\drivers directory. The two files installed into the IBM Lenovo Rescue and Recovery are the PGP WDE driver (pgpwded.sys) and the PGPstart.exe file (for more information on this file, see the following procedure). The files that are required to install PGP Whole Disk Encryption into IBM Lenovo Rescue and Recovery are: Files from pgppe tool: pgppe.exe, pgpstart.exe Files from installation: pgpwded.sys, pgpbootb.bin, pgpbootg.bin, pgpsdk.dll, pgpsdknl.dll, pgpwd.dll, pgpwde.exe Files for Windows Vista only: wimfltr drivers need to be installed (this is part of the Windows Automated Installation Kit)
13

Using PGP Whole Disk Encryption

Caution: Use this option only after is installed on the system.

To enable Lenovo Rescue and Recovery 1 2 Install . Obtain and install the Windows Preinstallation Environment tools from the PGP Support Knowledgebase Article 807 (https://support.pgp.com/?faq=807). Copy the PGPstart.exe and PGPpe.exe files from the zipped file into your installation directory (usually, c:\Program Files\PGP Corporation\PGP Desktop). Start a command prompt and change to your directory. Run the pgppe command as follows: pgppe /recovery

4 5

To remove Lenovo Rescue and Recovery support Run the pgppe command as follows: pgppe /recovery /remove

To upgrade Lenovo Rescue and Recovery Note: If your system is currently PGP Whole Disk Encrypted, it may be necessary to to reinstall the PGP WDE drivers after upgrading the version of Lenovo Rescue and Recovery software. 1 2 Upgrade your version of Lenovo Rescue and Recovery (refer to the Lenovo/IBM documentation for more information). Reinstall the PGP WDE drivers by running the pgppe command as follows: pgppe /recovery

Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console
If you use the Windows XP Recovery Console for administration purposes, you must install the PGP WDE drivers to the Microsoft Windows Recovery Console when the disk is encrypted otherwise the Recovery Console can not be used. Note: To authenticate users using Windows PE or BartPE, you must use passphrase users. Token or TPM users are not supported.

14

Using PGP Whole Disk Encryption

Caution: Install these drivers after is installed and the disk encrypted with PGP WDE.

To install PGP WDE drivers to the Windows XP Recovery Console 1 2 Install . Obtain and install the Windows Preinstallation Environment tools from the PGP Support Knowledgebase Article 807 (https://support.pgp.com/?faq=807). Copy the PGPstart.exe and PGPpe.exe files from the zipped file into your installation directory (usually, c:\Program Files\PGP Corporation\PGP Desktop). Start a command prompt and change to your installation directory. Run the pgppe command as follows: pgppe /cmdcons

4 5

To remove drivers from the Windows XP Recovery Console Run the pgppe command as follows: pgppe /cmdcons /remove

15

Pgppe Commands
The pgppe command line tool is used for customizing Window PE. It can be used to: pre-install the PGP WDE driver and tools on Windows PE and create a bootable CD/UFD. pre-install the PGP WDE driver and tools on Windows PE that is installed on a hard disk folder or partition.

In This Chapter
Files in the pgppe Tool ............................................................................ 17

Files in the pgppe Tool

The following files are included in the pgppe tool: pgppe.exe wimgapi.dll and wimfltr.sys are required to customize Windows PE 2.0. These tools are provided by Microsoft in Windows AIK. Note: The wimfltr driver has to be installed before using the wimgapi.dll. If Windows AIK is installed on the system, the driver wimfltr.sys is also installed. If not, you must install the wimfltr driver. Windows AIK also provides wimfltr.inf which is used to install wimfltr.sys.

The PGP WDE Driver File

Pgpwded.sys

The PGP WDE Tools Files

pgpbootb.bin pgpbootg.bin PGPsdk.dll pgpsdknl.dll PGPwd.dll
17

Pgppe Commands

PGPwde.exe Store the PGP WDE driver and tools in a single folder for use with pgppe.exe. The path that contains the PGP WDE driver and tools file is the wde_path. If the PGP WDE driver and tools are present in the same folder as pgppe.exe, you do not need to specify the wde_path in the command line.

The pgppe Command Line Format

pgppe /option [Parameter List] [/remove] Note: If /remove is not used, the pgppe.exe tool will customize the Windows PE, otherwise, it will remove the customization from the Windows PE.

/Option [Parameter List]:

/winpe winpe_path [wde_path][/remove] This option pre-installs the PGP WDE driver and the tools into Windows PE. winpe_path = the path that contains winpe for customization or the path that already has the winpe installed on a hard disk. Examples for winpe_path: Windows PE 1.x for creating a bootable CD/UFD or hard disk. C:\ |___winpe_x86 |___I386 The winpe_path is c:\winpe_x86 Windows PE 2.0 for creating a bootable CD/UFD or hard disk. C:\ |___winpe_x86 |___ISO The winpe_path is c:\winpe_x86 Windows PE 1.x is installed on a folder or a partition. C:\ |___Minint The winpe_path is c: /recovery [/remove]

18

Pgppe Commands

This option is available only for IBM Lenovo systems running Rescue and Recovery version 3.0 and later. This option pre-installs the PGP WDE driver into Lenovo Rescue and Recovery and automatically detects the Lenovo Rescue and Recovery support. It picks up the PGP WDE driver from the \windows\system32\drivers directory. The two files installed into the IBM Lenovo Rescue and Recovery are the PGP WDE driver (pgpwded.sys) and the PGPstart.exe file. Caution: Use this option only after PGP Desktop is installed on the system. /cmdcons [/remove] This option pre-installs the PGP WDE driver into the Microsoft Recovery Console. This option automatically detects the Recovery Console and installs the PGP WDE driver. It picks up the PGP WDE driver from System32\drivers. Caution: Use this option only after PGP Desktop is installed on the system. /vista vista_path [wde_path] [/remove] This option pre-installs the PGP WDE driver into the Vista installation package. vista_path = the path that contains the whole Vista installation package. Usually, to customize a Vista installation package, you need to create a folder on a hard disk and then copy all the files into that folder from the Windows Vista DVD. The path of the folder is the vista_path. Caution: Use this option only after PGP Desktop is installed on the system.

19

Using BartPE
BartPE (Bart's Preinstalled Environment) is similar to Microsoft's Windows PE tool. This section describes how to use BartPE to create a preinstallation environment.

In This Chapter
Customizing the BartPE or BartPE-based Tools.......................................21 Decrypting a Disk Using BartPE...............................................................22

Customizing the BartPE or BartPE-based Tools

The core of the BartPE and WinPE are the same, therefore customization of BartPE is the same as for WinPE. The steps to manually customize and use the pgppe command line tool to customize WinPE are also applied to BartPE. Note: To use Bart PE, you need to obtain the PGP WDE drivers and tools, see the PGP Support Knowledgebase Article 807 (https://support.pgp.com/?faq=807). Also included in this KB article is a technical note you can download that contains all of the instructions in this section. To manually customize the BartPE, see Customizing Windows PE 1.x (on page 5). To use the pgppe command line tool to customize the BartPE, see /Option [Parameter List]: (on page 18) for information on the command /winpe winpe_path [wde_path][/remove]. You can also develop your own config file/script or tool to customize your specific BartPE based tools. Note: To authenticate users using Windows PE or BartPE, you must use passphrase users. Token or TPM users are not supported.

Sample steps to customize BartPE

1 2 Create a BartPE to a Windows folder using PE builder (for example, d:\pebuilder3110a\BartPE). Copy following files into a Windows folder (for example, d:\wde).
21

Using BartPE

pgpbootb.bin pgpbootg.bin PGPsdk.dll pgpsdknl.dll PGPwd.dll PGPwde.exe Stage1 pgpwded.sys 3 Run the following command (changing folder names if necessary): pgppe.exe /winpe d:\pebuilder3110a\BartPE d:\wde 4 Create a bootable ISO file from the folder d:\pebuilder3110a\BartPE. You can use any tool that can create the BartPE or WinPE ISO file, such as the oscdimg.exe utility that comes with the OPK to create a customized BartPE ISO file. Both the oscdimg.exe and etfsboot.com utilities can be found in the WinPE folder on the OPK installation disc (copy the contents of the WinPE folder on the disc into a folder on your system that is named d:\build_x86). For example, use the following command: oscdimg -bd:\build_x86\etfsboot.com -n d:\pebuilder3110a\BartPE d:\bartpe.iso. Tip: The Microsoft Windows Automated Installation Kit (AIK) for Windows Vista (http://www.microsoft.com/downloads/details.aspx?familyid=c7d4bc6d15f3-4284-9123-679830d629f2&displaylang=en), freely available from Microsoft, includes both the oscdimg.exe and etfsboot.com utilities. After you install the AIK, you can view the included documentation on how to use the oscdimg.exe utility.

Decrypting a Disk Using BartPE

The following steps provide detailed information on how to decrypt a disk using BartPE. To decrypt a PGP WDE-encrypted disk 1 Download the following files: BartPE (current version is 3.1.10a) from http://www.nu2.nu/pebuilder/ Windows XP SP2 ISO from MSDN
22

Using BartPE

Windows AIK from MSDN (contains the oscdimg utility) 2 3 4 5 6 Install BartPE. Build a basic PE output based on the Windows XP SP2 build files. Download PGPPE.exe from PGP KB Article 807 (Windows PE) (https://support.pgp.com/?faq=807). Create c:\WDE folder containing the required files, as described in Copying the PGP Desktop and Windows PE Tool Files (on page 10). Run the following command: pgppe.exe /winpe c:\pebuilder3110a\BartPE c:\wde 7 Run the following command: oscdimg -bc:\pebuilder3110a\bartPE\bootsect.bin -n c:\pebuilder3110a\bartPE bartpe.iso 8 9 Mount the bartpe.iso and boot to the .iso. From within the BartPE environment, launch a command prompt and enter the following command: pgpwde --decrypt --disk 0 --passphrase diskpassword The system responds with "Start decrypt disk completed". 10 During the process, about midway through, enter the following command: pgpwde --disk 0 --status The system responds with "Encryption removal process is running in the background". Once the decryption process has completed, you can then boot the Windows XP system without PGP BootGuard.

23